Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member
16,250

Breaking News : OPS$ remote connect (using the TNS alias name) is no longer supported by future Oracle versions.

{While the database parameter "REMOTE_OS_AUTHENT" was already deprecated from the first release of Oracle 11g -Oracle Note ID 456001.1}

Thanks to the television media for diluting the word "Breaking News" that one can use it wherever they like, additionally whose idea was this Oracle's or SAP's to use "is" with "future" but for a person like me with no strong background of English, sounds funny... anyway lets begin our discussion...

As we know ops$ is/was being used by SAP kernel and BRTOOLS to initiate the connection with Oracle Database, so it was time for SAP to change their Kernel to accommodate the Oracle's Breaking news. SAP came up with modification in Kernel. Now these new kernels can connect with Oracle database without using ops$ mechanism, so far they are downward compatible means by default without additional setting they will connect like old method and if settings has been done they will use SSFS to connect with DB. Note 1611877 - Support for ABAP SSFS during database connect  As per this note this new functionality is available from SAP KERNEL 7.20 SP098 but rest of the Notes says its patch level 100.

Before we discuss further about this new mechanism lets understand briefly how the combination of ops$ (os_authent_prefix) and remote_os_authent was creating security vulnerability.

How OS Authentication works for Oracle Database?

It takes 3 things to work:

1. Oracle parameter OS_AUTHENT_PREFIX needs to be set

2. A database User ID which includes os_authent_prefix+OS User ID

Example: if os_authent_prefix is set like "cool_" and there is a user at Operating system as "john" then in database there should be a user "cool_john"

3. In database this user ID should be as "IDENTIFIED EXTERNALLY"

With this setting john can connect with database by issuing command "connect /" but here is a limitation lets say if database user "cool_john" has password "pqr1" and he wants to use command "connect cool_john/pqr1" he will not be able to do so.

For this reason oracle made a special prefix, our very own OPS$

Now as os_authent_prefix=ops$ john can connect by both commands "connect /" or "connect ops$john/pqr1"

Security Risk: If by any means "john" OS User ID's access gets hacked then by default it will give access to database as bonus.

Hold on please! we have not discussed another database parameter "remote_os_authent" yet.

If REMOTE_OS_AUTHENT = TRUE

The bad guy is not required to do much hard work to break into john's access on the server where Database is installed. He can create a OS user ID john on any server or PC which is allowed to connect with DB Server machine.

Though its true that there are limited machines which are generally allowed to connect with Database server and those machines are secured from OS authentication perspective, But for a reputed guy like Oracle it was not going along to rely so much on security mechanism of multiple remote machines. Sooner or later this was bound to happen.

The detail mechanism and what to do is already captured in these notes, so I will not repeat the same stuff here.

Note 1622837 - Secure connection of AS ABAP to Oracle via SSFS

Note 1639578 - SSFS as password storage for primary database connect

Note 1764043 - Support for secure storage in BR*Tools

SAP White Paper: Oracle Database Administration


My other Blogs, if you have time...

What's new in SAP NetWeaver 7.3 - A Basis perspective Part-I

What's new in SAP NetWeaver 7.3 - A Basis perspective Part-II

Bye bye STRUSTSSO2: New Central Certificate Administration NW7.3

Escaping tough moments of SPAM or SAINT

Multiple/Bulk transports with tp script for Unix (AIX, Solaris, HP-UX, Linux)

Holistic Basis View: BusinessObjects BI 4.0 SP 2 Installation & Configuration

How to Rename the Oracle Listener & Change Listener port for SAP

OSS1 & RFC connections SAPOSS, SAPNET_RFC, SDCC_OSS

Start/Stop SAP along with your Unix Server Start/Stop

Interrelation: SAP work process, OPS$ mechanism, oracle client & oracle shadow process

Install and configure NetWeaver PI 7.3 Decentralize Adapter part-1

Install and configure NetWeaver PI 7.3 Decentralize Adapter part-2

Holistic Basis View: BusinessObjects BI 4.0 SP 2 Installation & Configuration

List of Newly added/converted Dynamic parameter in NetWeaver 7.3

5 Comments
volker_borowski2
Active Contributor
0 Kudos

Yeah,

and the first thing SAP forgot was to adopt the sapinst call to the new ORADBUSR.SQL call in the 7.30 System-Copy-Pprocedure. After the DB is opened the procedure simply hangs because the new parameter "&5" for ORADBUSR.SQL is not feed, so the sqlscript hangs in a prompt 🙂

Check out recent SDN postings regarding Oracle Versions 9.2 and 10.2 and the guess when we will REALLY get rid of this thing.

Nevertheless, a pretty good collection of references.

Joining the four stars.

Volker

Former Member
0 Kudos

The second was to implement the mechanism for the shadow schema/shadow instance user when doing upgrades.

And brtools still easily screw up when you run brconnect -f passwd from sidadm or orasid.

Cheers Michael

former_member195313
Participant
0 Kudos

After the kernel version 7.40 SSFS method is must..

Secure Storage in File System (SSFS) for SAP

raulc1
Explorer
0 Kudos

In any case after 11.2.0.4 oracle upgrade SSFS is mandatory despite of the Netweaver kernel version

0 Kudos
Checkout OSS Note 2756580 - OPS$ user gets constantly recreated

Note that it has not got a fix. Now why does SAP allow SAP Host Agent to recreate the OPS$ users?

SAP user might be able to create and run SQL script as OPS$ user from inside SAP (via RSBDCOS0 or external command) on non-distributed DB system resulting in system pownage.

 

 
Labels in this area